Title: Tech 101: CalDAV and other drugs
Date: 2018-01-08
Modified: 2018-01-08
Category: Blog
Slug: tech-101-caldav-and-other-drugs
Tags: tech-101, howto
Summary: The story of how Koz wanted a synchronizable todo list

Happy 2018! A mixture of things have kept me preoccupied until now, including,
but not limited to, a hand injury stopping me from typing properly, a holiday
period, and of course, my favourite pastime of all, [yak shaving][1] (of both
varieties). This post is largely borne from my efforts in yak shaving of a
certain problem, motivated by a desire to get more organized in 2018 -
specifically, the problem of having a synchronized list of things to do.

More specifically, the problem is thus: I use a _lot_ of devices. I have a
desktop computer, a laptop, a microserver, a tablet _and_ a smartphone, and on
top of that, I also have a computer assigned to me in my office at uni. For a
to-do list to be useful, I have to be able to:

* Have the list available no matter which device I have close to hand;
* Be able to modify and delete entries from all these places; and
* Ensure that the entries are kept consistent across all devices.

This, by itself, could be done using some kind of manual synchronization method
(such as Git), but that would be both too much work and (strangely) too easy.
Something as boring as keeping files synchronized across multiple locations is a
job for a computer, not a person. Additionally, I disdain 'cloud' 'services'
with a fiery passion, as they're all basically [surveillance capitalism][2],
whether you pay for them or not, and the inability to know or modify what
they're running also offends my inner engineer and perfectionist. Lastly, I
would much prefer a [replication][3]-based approach, because relying on an
Internet connection at all times is asking for trouble. That the solution 
needed to both be open source and work from a command line where possible 
should go absolutely without saying.

It turned out that all of these criteria can be met, and the result brings 
with it a considerable number of additional helpful things. However, setting
everything up is not simple; you have to do it in an oddly specific order, and 
the documentation for each of the pieces of puzzle seems strangely unaware of 
each of the others, requiring no small amount of guesswork. Thus, this post 
is meant to be a guide for anyone who wants to do this all themselves, and 
benefit from the (arguably extremely cool) outcomes of all this without 
having to go through the same frustrations I did.

## The solution I found ##

The core of this whole bag of tricks is [CalDAV][4] - an open standard for
remote storage and access of calendars and contacts. As it is an open standard,
there are a whole bunch of implementations of both servers and clients for it,
which work on pretty much every platform you can think of. The main thing for
me, though, was that it can also synchronize to-do lists, even thought that's
not its primary purpose. The fact that I _also_ get contacts and calendar
synchronization on top of that is just gravy.

CalDAV relies on a client-server model, and so to use it, you need a server. The
one I went with was [Radicale][5], as it's written in Python (so no need to run
a disgusting slurry), is open source, and will happily run on a smaller device.
It also has authentication capabilities on a per-user basis, and lets each user
have multiple contact lists, calendars and to-do lists, so if I ever want to
share the server with others in a secure way, I can. From the point of view of
client programs, I basically only need two: one for my Linux-based machines, and
one for my Android devices. For the former, I decided to go with [todoman][6], as
it's a simple command-line manager of to-do lists, while for the latter, I went
with [OpenTasks][7] mostly by process of elimination. Lastly, both clients need a
separate synchronizer program, which for me ended up being [vdirsyncer][8] for 
todoman and [DAVDroid][9] for OpenTasks.

## What you will need ##

Obviously, this is not easy to set up if you haven't self-hosted before, and
you're going to need certain basics in place. In particular, the following are
necessary:

1. A static IP address (either via your ISP, a VPS, or something else)
1. A machine to act as a server (any of the cheaper ARM-based SBCs will do)
1. A domain name
1. A web server set up to serve to the domain name you own (I use Nginx)
1. A Let's Encrypt certificate for the domain name you own, with appropriate
   configuration for your web server and auto-renewal

Setting up all of this is outside the scope of this particular article, although
I may write something for each of these things one day. If you already have a
self-hosted blog with HTTPS, you're all set. I will use Nginx as the web server
throughout this writeup, but if you use something else, it shouldn't be vastly
different.

## What to do ##

For reasons that completely elude me, each of these tasks must be done in
_exactly_ the order I'm presenting them in. If you don't do them in this order,
you'll either end up having to repeat work, or, in the worst case, your stack
won't work and you won't know why. I discovered this order through a lot of
trial and error, so spare yourself the pain and just follow it.

### 1. Set up Radicale ###

Installing Radicale is basically the same as setting up any Python package. You
can use ``pip`` if that's how you want to do things, or you can check if your
distro packages it. Fortunately for me, Radicale was packaged for Arch Linux (in
the AUR, of course), so this part of the setup was fairly painless.

We also want to make sure that we have authentication support for users. This is
a good policy even if you don't plan to share, as it means that random drive-by
connections to your server won't make it off with your contacts or calendar. To
do this, you'll need a tool called ``htpasswd``, which is packaged with the
Apache server. If you don't have it (and I didn't, because I use Nginx), the
easiest thing to do is just to download it, although [you can do without][10].
Additionally, you want to make sure you have Python's ``passlib`` and ``bcrypt``
modules available, so go ahead and install those too. The AUR package for
Radicale even helpfully tells you that they're optional dependencies.

If you are using a distro package, this next step might be optional, depending
on how your package is configured. In order to ensure good privilege
containment, Radicale should run as its own user, with its own directory,
without being able to write to arbitrary places. The AUR package already does
this for you, but if you installed it using ``pip`` or through a different
package manager, you may have to do this step yourself. We'll assume that
Radicale's home directory is ``/home/radicale``, and its user is named
``radicale`` for the rest of this writeup.

We need to create a ``users`` file which Radicale has access to, which we'll put
in ``/home/radicale/users``. You can create as many users as you want, but
you'll need at least one. The command in my case was:

    ::sh
    [koz@banana ~]$ sudo -u radicale htpasswd -B -c /home/radicale/users koz

You'll be prompted to create a password for this new user, then confirm it.
Repeat this as many times as desired.

Next, you need to configure Radicale itself. There's really only two things we
need to do - specify what port Radicale will listen on, and tell it that we'll
be using our brand-new ``users`` file for authentication. This is quite
straightforward: edit ``/etc/radicale/config``, and ensure it contains these
lines uncommented:

    [server]
    hosts = 127.0.0.1:5232

    [auth]
    type = htpasswd
    htpasswd_filename = /home/radicale/users
    htpasswd_encyption = bcrypt

Now, all of this bears some explanation before we continue. Radicale normally
runs only locally; it'll be the job of our friendly web server to forward it
external requests, with HTTPS authentication thanks to our Let's Encrypt
certificate. We're using bcrypt for password hashing (hence the ``-B`` flag to
``htpasswd`` and the setting in the ``config`` file) because [that is what you
should do no really][11]. With this, Radicale will nicely manage our contacts,
calendars and (most importantly for us) to-do lists, with authentication so that
our data doesn't get stomped on by randos.

At this stage, it's a good idea to test-start Radicale's server. You can do it
by invoking ``sudo -u radicale python radicale -f --debug``, then checking
localhost at port 5232. If you get a login page, success! If not, check the log
spew you're getting in your terminal to deduce what's up.

Once you have everything working, start the daemon, either manually or using
whatever init system you favour. The AUR package provides a systemd service
file, which works well enough, but needs a few edits to match your directory,
and also to provide it the ``--debug`` flag.

### 2. Set up your web server to serve Radicale ###

Running your Radicale locally isn't going to get you very far on its own, so now
we need to set up your web server properly. Once again, the examples given here
use Nginx, so if you use some other web server, adjust appropriately.

In your Nginx config, you'll have an entry for your HTTPS server. In that
``server`` block, you want to add something that looks like this:

    location /radicale/ {
      proxy-pass         http://localhost:5232/;
      proxy-set-header   X-Script-Name /radicale;
      proxy-set-header   X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy-pass-header  Authorization;
    }

This will allow you to access your Radicale server at
``https://your-domain.coffee/radicale/``. Restart your web server and check that
you can using an ordinary browser. If all went well, you should be able to get a
login page. Try using the credentials you created previously to log in - you
should be able to do so, but there won't be much there to look at yet.

### 3. Download and set up OpenTasks ###

I would suggest using [F-Droid][12] for this. Simply install the app, run it, and
give it appropriate permissions. You won't have anything useful there right now,
and thus, this step seems a bit silly, but as you'll see, this is essential.

### 4. Download and set up DAVDroid ###

Again, F-Droid is recommended. Once you've installed DAVDroid, you'll need to
point it at your now-accessible Radicale instance. You'll need to select 'Login
with URL and user name', and enter the link you tested with above, followed by
your credentials as generated in the first step. 

If successful, you'll land on a screen asking you to create a user. Now, you're
likely a bit confused at this point, because you're not [Xzibit][18], and you've
already created a user, but this is different. In the context of Radicale,
'users' are authentication groups to the server; in the context of DAVDroid,
'users' are individual instances of collections of contacts, calendars and to-do
lists in the same authentication group. Why these two terms were given such
similar names will always be beyond me. Additionally, DAVDroid will not inform
you what 'users' (from the DAVDroid point of view) exist on the 'user' (from the
Radicale point of view) that you've just logged into. It suggests using your
email address for the username, and I strongly suggest doing the same, as it'll
allow you to keep things nice and consistent if you have multiple Android
devices. 

After this, you'll be on a screen with a CardDAV section and a CalDAV section.
The former is where you can create and store contact lists, while the latter is
where you can create and store calendars and to-do lists (or combinations of
both if you choose). For myself, I created one of each, but for the purposes of
this write-up, it's sufficient to just create a to-do list with an appropriate
name. Ensure that you synchronize it to the server before you continue. You may
also want to tell DAVDroid to only sync manually, to avoid draining your battery
and needlessly using mobile data when not appropriate.

### 5. Set up OpenTasks, again ###

You're probably wondering at the ordering, but unfortunately, it's a known bug
that installing DAVDroid first will break OpenTasks. This fact is hard to find
(in fact, I'm not managing to find out where _I_ found out), but unfortunately,
them's the breaks. Add it to the list of things which make Android weird, I
guess.

Here, you just have to re-open OpenTasks, and delete the local task list which
you no longer need. Task lists are OpenTask's terminology for to-do lists; to
remove the local list, go to 'Displayed lists' in the corner menu and then
follow on from there. After you're done, you should _only_ have the synchronized
task list you created earlier, which is empty.

### 6. Set up vdirsyncer ###

You can install vdirsyncer using either ``pip`` or your package manager as you
prefer (assuming your distro bundles it). After this, we need to set up its
configuration file, which normally resides in ``~/.config/vdirsyncer/config``.
The file should look something like this:

    [general]
    status_path = "~/.vdirsyncer/status/

    [pair]
    conflict_resolution = "b wins"
    a = "todo_local"
    b = "todo_dav"
    collections = ["from a", "from b"]
    metadata = ["color", "displayname"]

    [storage todo_local]
    type = filesystem
    path = "~/documents/todo"
    fileext = ".ics"

    [storage todo_dav]
    type = "caldav"
    url = "https://your-domain.coffee"
    username = "Auser"
    password = "this is a secret"

This bears some explanation too. The way vdirsyncer works is by using 'pairs' of
local and remote documents. In this case, the local document is this machine's
replica of your to-do list (which is going to be stored in
``~/documents/todo``), and the remote document is the replica living on your
server machine, managed by Radicale. You can have as many of these as you like,
but in our case, this will do. We do this after setting everything up for
DAVDroid because it's the easiest way to do this.

You then need to run ``vdirsyncer discover pair``, followed by ``vdirsyncer
sync``. This will transfer a directory with a name that looks like a hash from
your Radicale instance, which will go into ``~/documents/todo``. Note what this
is - I will use ``deadbeef`` as the name for typing simplicity. From this point
onward, every time you make any changes to your todo list that you want
synchronized, just run ``vdirsyncer sync`` and they'll be matched. You can
automate this if you want, but I didn't bother.

### 7. Set up todoman ###

Like vdirsyncer, todoman is a Python program, so install it as appropriate. We
need to set it up so that it sends your to-dos to the folder we've set
vdirsyncer to synchronize. For that to work, todoman's configuration file should
look like:

    [main]
    path = ~/documents/todo/*
    date_format = %Y-%m-%d
    time_format = %H:%M
    default_list = deadbeef 
    default_due = 1 

The other settings are mostly self-explanatory if you're familiar with Python's
format strings. ``default_due`` is the default number of hours from the point of
a new to-do item being created that it will be due - adjust as appropriate to
your needs.

With that, run ``todo`` from your command line, which shouldn't produce any
output (as our to-do list is currently empty). To create a new item, run ``todo
new`` from the command line, and use the TUI provided. Create a test item, and
check that you can see it with ``todo``.

### 8. Profit! ###

You are now ready to check synchronization. Try running ``vdirsyncer sync``, and
then when it completes, try refreshing in DAVDroid, then checking OpenTasks. If
your task appears there successfully - well done, you are well on the way to
being more productive. If not, work backwards and check that you've completed
all the steps along the way. You can delete the sample task if you want - you
can do this using ``todo delete x``, where ``x`` is the number that appears next
to the task when you run ``todo``.

## How to find out more ##

This has been a pretty 'quick-and-dirty' rundown of how to set all this up.
Obviously, your needs might be very different, and even if they're not, you
might at least want to know what your options are. Here is the relevant
documentation:

* [Radicale][13]
* [todoman][14]
* [vdirsyncer][15]

For DAVDroid and OpenTasks, there's not much out there, but they're fairly
self-explanatory as long as you install them in the right order.

## Deficiencies ##

Despite this scheme being rather brilliant, there are a few missing pieces:

* todoman is a CLI client. If GUIs are more your thing, you can [check out your
  options here][16].
* No current way to set up recurring tasks. todoman devs are [working on it][17], 
  but I am unsure if OpenTasks devs are.

These are not deal-breakers for me, but you may disagree. As always, think hard,
have fun, and happy to-do listing.

[1]: https://en.wiktionary.org/wiki/yak_shaving
[2]: https://en.wikipedia.org/wiki/Surveillance_capitalism
[3]: https://en.wikipedia.org/wiki/Replication_(computing)
[4]: https://en.wikipedia.org/wiki/CalDAV
[5]: http://radicale.org/
[6]: https://github.com/pimutils/todoman
[7]: https://f-droid.org/packages/org.dmfs.tasks/
[8]: https://github.com/pimutils/vdirsyncer
[9]: https://f-droid.org/en/packages/at.bitfire.davdroid/ 
[10]: https://coderwall.com/p/zvvgna/create-htpasswd-file-for-nginx-without-apache
[11]: https://codahale.com/how-to-safely-store-a-password/
[12]: https://f-droid.org
[13]: http://radicale.org/documentation/
[14]: http://todoman.readthedocs.io/en/stable/
[15]: https://vdirsyncer.pimutils.org/en/stable/
[16]: http://wiki.davical.org/index.php/CalDAV_Clients
[17]: https://github.com/pimutils/todoman/issues/288
[18]: http://knowyourmeme.com/memes/xzibit-yo-dawg
